Skip to content

Double free in check_file_actlst() #242

Closed
@RKX1209

Description

@RKX1209

When I run a sadf utility with the stat file, it leads double free bug in check_file_actlst().

$ ./sadf dfree_sysstat.in
skip_extra_struct: extra_size=0 types=0,16777216,128
=================================================================
==25128==ERROR: AddressSanitizer: attempting double-free on 0x60b000000250 in thread T0:
    #0 0x7f83c49ab7b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x55cc66ccab45 in check_file_actlst ~/sysstat/sa_common.c:2198
    #2 0x55cc66c4e3aa in read_stats_from_file ~/sysstat/sadf.c:1453
    #3 0x55cc66c474f7 in main ~/sysstat/sadf.c:1883
    #4 0x7f83c44fdb96 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x21b96)
    #5 0x55cc66c48ad9 in _start (~/sysstat/sadf+0x27ad9)

0x60b000000250 is located 0 bytes inside of 100-byte region [0x60b000000250,0x60b0000002b4)
freed by thread T0 here:
    #0 0x7f83c49ab7b8 in __interceptor_free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8)
    #1 0x55cc66cca6b1 in check_file_actlst ~/sysstat/sa_common.c:2155

previously allocated by thread T0 here:
    #0 0x7f83c49abf40 in realloc (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xdef40)
    #1 0x55cc66cc9f05 in check_file_actlst ~/sysstat/sa_common.c:2030

SUMMARY: AddressSanitizer: double-free (/usr/lib/x86_64-linux-gnu/libasan.so.4+0xde7b8) in __interceptor_free
==25128==ABORTING

If skip_extra_struct fails at this line, read_stats_from_file falls into format_error: label and try to free buffer here.
However buffer has been already freed before, causes double free bug.

Thanks

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions